On December 10, 2021 CVE-2021-44228 was reported, describing an exploit in the Log4j library that allowed a malicious user to run code on an affected system. On December 14, 2021 CVE-2021-45046 was reported, describing a second exploit in Log4j.
Solution
The version of Log4j used in Universal Type Server (UTS) 7 is NOT affected by the reported vulnerability of CVE-2021-44228 or CVE-2021-45046.
Additional Security Reports:
CVE-2018-19409 & CVE-2018-18284
Only effects Linux servers (not support by Universal Type Server)
CVE-2018-16509
Requires local access to the system to be exploited. A secure network should mitigate this issue
CVE-2016-7979
CVE-2019-14813
CVE-2022-23302
Requires local access to the system to be exploited. A secure network should mitigate this issue
CVE-2022-42252
Only applicable if Universal Type Server is behind a reverse proxy that also fails to reject the request with the invalid header. Reverse proxies are not part of our standard configuration when developing Universal Type Server
CVE-2022-45143
Universal Type Server does not use this feature of Tomcat
CVE-2022-29885
Universal Type Server does not use any of the clustering features outlined in the vulnerability. A secure network should further mitigate this issue
CVE-2021-4104
We do not use JMSAppender in any of our products
CVE-2019-17571
We do not use the Log4j network logging features and are not affected
CVE-2020-9488
We do not use the Log4j SMTPAppender and are not affected
CVE-2022-23305
We do not use the Log4j JDBCAppender and are not affected
CVE-2022-23307 & CVE-2020-9493
This is related to Apache Chainsaw, a gui log reader that an be included with log4j. We do not include this with our distribution and are not affected
CVE-2022-23305
We do not use the JDBCAppender
CVE-2020-9488
We do not use the SMTPAppender
Our development teams have reviewed all other vulnerabilities for UTS and have determined these all to be low risk to the product. This means an attacker does not have control over what can be modified.
If you are on version 6.x or earlier of Universal Type Server, please submit a support request to get assistance on how you may be able to update to UTS version 7.0.6. Updates may require you to have a current maintenance/service contract or a subscription with Extensis.